CVE-2026-34928 - Vulnerability Details

- Local Privilege Escalation via Origin Validation in Trend Micro Apex One Agent

Description

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different named pipe communication mechanism.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Published: 2026-05-21

Score: 7.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An origin validation flaw in the Apex One/SEP agent allows a local attacker who already has low‑privileged code execution to elevate privileges. The flaw involves improper validation of data arriving over a named pipe, granting the attacker higher system rights. Because the attacker must first execute code locally, the impact is limited to systems where local code execution is possible, but it can compromise the entire host once privileges are escalated.

Affected Systems

Trend Micro’s TrendAI Apex One and TrendAI Apex One as a Service are affected. The vulnerability exists in on‑prem Apex One version 14.0.0.17079 and in the SaaS version 14.0.0.20731. Both versions rely on a named pipe IPC mechanism that is vulnerable to origin validation bypass.

Risk and Exploitability

The CVSS score of 7.8 marks this flaw as high severity, and it is not currently listed in the CISA KEV catalog. EPSS data is not available, so the likelihood of exploitation is unknown, but the local requirement reduces the attack surface to users who can run code on the machine. An attacker who gains low‑privileged execution can exploit the origin validation bypass to raise privileges, making the vulnerability potentially critical in environments where local code execution is possible.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Trend Micro, Inc.

TrendAI Apex One

affected

Version	Status	Constraints
`2019 (14.0)`	affected	< 14.0.0.17079

Trend Micro, Inc.

TrendAI Apex One as a Service

affected

Version	Status	Constraints
`SaaS`	affected	< 14.0.20731

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Contact Trend Micro to obtain the official patch that addresses the origin validation flaw and deploy it to all installations of TrendAI Apex One 14.0.0.17079 and Apex One as a Service 14.0.0.20731.
Enforce the principle of least privilege on local accounts to limit the ability to run low‑privileged code that could be used to trigger the exploit.
Review and tighten access controls for the inter‑process communication channel used by the Apex One agent, ensuring that only trusted services can create or read the relevant named pipe.

Generated by OpenCVE AI on May 21, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://success.trendmicro.com/en-US/solution/KA-0023430

History

Thu, 21 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 21 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
Title		Local Privilege Escalation via Origin Validation in Trend Micro Apex One Agent

Thu, 21 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different named pipe communication mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
First Time appeared		Trendmicro Trendmicro apexone Op Trendmicro apexone Saas
Weaknesses		CWE-346
CPEs		cpe:2.3:a:trendmicro:apexone_op:14.0.0.17079:::::::* cpe:2.3:a:trendmicro:apexone_saas:14.0.0.20731:::::::*
Vendors & Products		Trendmicro Trendmicro apexone Op Trendmicro apexone Saas
References		https://success.trendmicro.com/en-US/solution/KA-0023430
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Trendmicro Apexone Op Apexone Saas

MITRE

Status: PUBLISHED

Assigner: trendmicro

Published: 2026-05-21T13:03:39.339Z

Updated: 2026-05-21T14:24:49.602Z

Reserved: 2026-03-31T17:22:13.504Z

Link: CVE-2026-34928

Vulnrichment

Updated: 2026-05-21T14:02:42.942Z

NVD

Status : Undergoing Analysis

Published: 2026-05-21T14:16:45.463

Modified: 2026-05-21T15:05:28.023

Link: CVE-2026-34928

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-21T14:45:12Z

Weaknesses

CWE-346

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object